Nations can no longer afford to go it alone on cyber-security

Cyber-crime knows know borders, so nor should our defences.

Senior representatives from more than 90 governments met in Seoul recently to discuss cyber-space, including cyber-security and cyber-crime. It was the third in a series of international conferences that has followed a push from the UK government to bring a more international perspective to discussions about how to keep cyber-space open while addressing threats.

Cyber-crime does not operate in a world confined by national borders so an international response is our only option. We need to cooperate to protect devices and information infrastructures from malicious entities seeking to steal secrets, deny access to critical services and exploit our identities to commit crimes.

Vulnerable businesses
There is much work to be done. Weaknesses in infrastructures, policy and operations leave us vulnerable and threats to businesses and individuals are frequent and damaging. For example, a sophisticated malicious software recently infected a PC at a small British bakery, then managed to bypass all of the business’s online banking security software and steal £20,000. There is no end to the news of malware, viruses and spam that affect online accounts and home computers.

Recent research indicates that four in five of the UK’s largest quoted companies are unprepared for cyber attacks. The widely reported threats to systems within finance and banking are an uneasy reminder of our vulnerability – and a key priority of the Bank of England and other financial regulators. Even those companies that you might expect to see outsmarting cyber-criminals are not immune. Just a few weeks ago software company Adobe admitted that its system had been hacked and that data from nearly 3 million customers had been stolen. Now there are reports of ransomware attacks across companies in East London’s hi-tech cluster of businesses.

Currently, too many decisions relating to cyber-security rely on inadequate evidence, inconsistent data, deficient reporting and varying rules across networks and systems. This inconsistency on data is apparent in UK government. Two years ago the UK Cabinet Office published a study by Detica, which estimated that cyber-crime costs the UK economy £27bn per year. It gave a breakdown by business sector and type of crime. This type of data is critical for governments, businesses and technology companies to plan appropriate security responses. However, a 2012 study undertaken by Professor Ross Anderson and colleagues for the Ministry of Defence calculated that a more realistic estimate would be closer to £12bn, distributed in significantly different ways to the Detica claims. This would suggest a different pattern of appropriate responses.

Defence beyond borders
A report to which I contributed, Now for the Long Term calls for the creation of an information exchange - CyberEx - to start tackling these issues. It could be funded by governments and businesses with an interest in collecting and analysing data on cyber-attacks to inform their own decisions about cyber-security. Each could share their own information and coordinate with others on responses to international threats. CyberEx could identify weaknesses in the global system, flag up suspicious Internet traffic and malicious software and help countries and businesses develop technical standards for their cyber-security efforts.

It could seek to minimise common vulnerabilities that enable the theft of sensitive information and the distribution of spam through systems, and work closely with international and domestic agencies to prevent common system attacks. The platform could also provide a useful mechanism for stakeholders to work together on responses to collective concerns, such as privacy protection. By providing an accessible, open platform for information exchange, CyberEx could help governments, businesses and individuals to better understand common threat patterns, identify preventative measures and minimise future attacks.

But you are only as strong as your weakest link, so CyberEx would also need to help developing countries improve their cyber infrastructure. For example, Professor Anderson’s MoD study concluded that significant numbers of “stranded traveller” scams and Advance Fee Frauds originate in West Africa, particularly Nigeria.

We are at the start of conversations with interested parties on the potential for CyberEx, so the details of how and where the exchange would be hosted are still to be worked out. The report’s recommendation is a starting point but it is an important one. It could move us closer to using an exchange platform to counter common but high-risk cyber threats. It is a conversation that must continue if we are to meet the challenges posed by increased societal dependence on information infrastructures.

Ian Brown receives funding from the UK Research Councils (currently EPSRC), the European Commission, and BT. He is on the advisory councils of the Open Rights Group, Privacy International and the Foundation for Information Policy Research.

This article was originally published at The Conversation. Read the original article.

The Conversation

We can't fight cyber-crime by ourselves. (Photo: Getty)
Apple
Show Hide image

Is Apple Music really deleting users’ songs without their consent?

It's hard to tell – but the iTunes Terms and Conditions seem to cover the company even if it does.

Musician James Pinkstone was a new Apple Music user when he realised that 122GB of music was missing from his computer.

According to a long blogpost he published on Wednesday, Apple Music attempted to “match” his music with songs in its online library via a function called “iMatch”. It then, Pinkstone claims, deleted all 122GB of his original files – collected from CDs, bought, and even created himself over a lifetime – from his hard drive.  

Luckily, Pinkstone was able to restore his library from a backup, but if what he says is true, it’s outrageous for a number of reasons. Apple Music streams music to users, meaning you need to be connected to Wi-Fi while you’re listening, so it isn’t the same as having an iTunes library of songs you actually own. You can download individual songs from the service to your device, but as Pinkstone writes, “it would take around 30 hours to get my music back” in this way. Your music and playlists also disappear if you stop paying your Apple Music subscription fee.

Meanwhile, iMatch has been notoriously rubbish at matching your files with music library entries, sparking lots of user complaints already. Pinkstone says a Fountains of Wayne song was replaced by a later version, for example, so he would have been unable to get the original song back.

So is it true? It’s not totally clear what happened to Pinkstone’s library, but here’s what we know so far.

Apple has said it doesn’t delete users’ music without their consent

Apple declined to give me a statement, but referred me to the piece “No, Apple Music is not deleting tracks off your hard drive – unless you tell it to” on the site iMore, which is not affiliated with the company but which the spokesperson described as “accurate background”.

Its author, Serenity Caldwell, explains that you have “primary” and “secondary” devices on Apple Music, and that on secondary devices (usually phones or tablets) in particular it’s advisable to delete your physical copies of songs to free up space – after all, you can stream everything via Apple Music anyway or download individual songs if you need them.

However, users should never delete files from their “primary” device (usually your desktop or laptop computer) because they’d lose the master copy of their songs forever.

…But customers might be giving that consent by accident

Jason Snell, a writer, speculated on Twitter that a misleading dialogue box may have caused Pinkstone his problems.

When you delete a song on any device, a dialogue box pops up offering to “delete” the song from “your iCloud Music Library and from your other devices” (emphasis mine). It’s more than possible that users would click this “delete” button rather than the less obvious “remove download” option which removes the song only from that device.

Apple Music’s terms and conditions cover it if it does delete your songs

Pinkstone seems to argue that he did no such thing, however, and it’s possible that there’s a bug as yet undiscovered by Apple which is deleting songs at will.

However, as Pinkstone points out, iTunes terms of use actually do cover it in the event the programme damages your files, or your property in general.

One section reads:

“IN NO CASE SHALL APPLE, ITS DIRECTORS, OFFICERS, EMPLOYEES, AFFILIATES, AGENTS, CONTRACTORS, OR LICENSORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, SPECIAL, OR CONSEQUENTIAL DAMAGES ARISING FROM YOUR USE OF THE APPLE MUSIC SERVICE OR FOR ANY OTHER CLAIM RELATED IN ANY WAY TO YOUR USE OF THE APPLE MUSIC SERVICE, INCLUDING, BUT NOT LIMITED TO, ANY ERRORS OR OMISSIONS IN ANY CONTENT OR APPLE MUSIC PRODUCTS, OR ANY LOSS OR DAMAGE OF ANY KIND INCURRED AS A RESULT OF THE USE OF ANY CONTENT OR APPLE MUSIC PRODUCTS POSTED, TRANSMITTED, OR OTHERWISE MADE AVAILABLE VIA THE APPLE MUSIC SERVICE, EVEN IF ADVISED OF THEIR POSSIBILITY.”

Elsewhere, it defends its right to withdraw access to Apple products at will  including songs and albums you're under the impression you bought from them outright:

Apple and its principals reserve the right to change, suspend, remove, or disable access to any iTunes Products, content, or other materials comprising a part of the iTunes Service at any time without notice. In no event will Apple be liable for making these changes.

Tl;dr: Until there’s some explanation for Pinkstone’s lost library, it might be a good idea to avoid using the iMatch function, or even Apple Music altogether. It seems very unlikely that the software would be able to delete files without your consent, but given you aren’t covered if they do, it’s better to be safe than sorry.

Barbara Speed is a technology and digital culture writer at the New Statesman and a staff writer at CityMetric.